CVE-2026-20801 - Vulnerability Details

- Cleartext Transmission of Live Video Streams via Gallagher VMS Integrations

Description

Cleartext Transmission of Sensitive Information (CWE-319) in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams.

This issue affects all versions of Gallagher NxWitness VMS integration prior to 9.10.017 and Gallagher Hanwha VMS integration prior to 9.10.025.

Published: 2026-03-03

Score: 5.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a cleartext transmission of sensitive information (Cleartext Transmission of Sensitive Information, CWE-319). It allows an unprivileged user who can reach the local network to view live video streams that are intended to be protected. The result is a confidentiality breach that could expose operational video feeds to external observers."

Affected Systems

Gallagher NxWitness VMS integration versions prior to 9.10.017 and Gallagher Hanwha VMS integration versions prior to 9.10.025 are affected. The issue resides in components used by these integrations and pertains to local network users only."

Risk and Exploitability

The CVSS score of 5.6 indicates moderate overall risk. EPSS is less than 1%, suggesting exploit probability is very low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector requires local network access; unprivileged users can observe live video streams without needing higher privileges or remote access. Because the data are transmitted in cleartext, an attacker can capture the streams using standard network monitoring tools, posing a data disclosure threat to the organization."

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Gallagher

NxWitness VMS and Hanwha VMS Integrations

affected

Version	Status	Constraints
`0`	affected	< 9.10.017
`0`	affected	< 9.10.025

No data.

Vendor Product Confidence Versions

Gallagher

Nxwitness Vms And Hanwha Vms Integrations

100%

Version	Status	Scheme	Platform
`[0,9.10.017)`	affected	semver	—
`[0,9.10.025)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Gallagher NxWitness VMS integration to version 9.10.017 or later, and the Gallagher Hanwha VMS integration to version 9.10.025 or later.
If an upgrade cannot be performed immediately, isolate the VMS integration components from the rest of the network using firewalls or VLAN segmentation to restrict local access to authorized personnel only.
Verify that the updated integrations employ TLS or another form of encrypted transport for all video stream traffic to ensure sensitive data are no longer sent in cleartext.

Generated by OpenCVE AI on April 16, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-20801

History

Thu, 16 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title		Cleartext Transmission of Live Video Streams via Gallagher VMS Integrations

Wed, 04 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gallagher Gallagher nxwitness Vms And Hanwha Vms Integrations
Vendors & Products		Gallagher Gallagher nxwitness Vms And Hanwha Vms Integrations

Tue, 03 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		Cleartext Transmission of Sensitive Information (CWE-319) in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams. This issue affects all versions of Gallagher NxWitness VMS integration prior to 9.10.017 and Gallagher Hanwha VMS integration prior to 9.10.025.
Weaknesses		CWE-319
References		https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-20801
Metrics		cvssV3_1 `{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Gallagher Nxwitness Vms And Hanwha Vms Integrations

MITRE

Status: PUBLISHED

Assigner: Gallagher

Published: 2026-03-03T02:41:10.357Z

Updated: 2026-03-03T16:30:31.016Z

Reserved: 2026-03-01T23:45:09.734Z

Link: CVE-2026-20801

Vulnrichment

Updated: 2026-03-03T16:30:26.575Z

NVD

Status : Awaiting Analysis

Published: 2026-03-03T03:15:54.540

Modified: 2026-03-03T21:52:29.877

Link: CVE-2026-20801

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T14:15:28Z

Weaknesses

CWE-319

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object